October 16, 2024:
“We will continue targeting ChatGPT until the genocide supporter, Tal Broda, is fired and ChatGPT stops having dehumanizing views of Palestinians,” Anonymous Sudan responded in a Telegram post explaining its attacks on OpenAI.
Still, Anonymous Sudan’s true goals haven’t always seemed entirely ideological, Akamai’s Seaman says. The group has also offered to sell access to its DDoS infrastructure to other hackers: Telegram posts from the group as recently as March offered the use of its DDoS service, known as Godzilla or Skynet, for $2,500 a month. That suggests that even its attacks that appeared to be politically motivated may have been intended, at least in part, as marketing for its moneymaking side, Seaman argues.
“They seem to have thought, ‘We can get involved, really put a hurting on people, and market this service at the same time,’” Seaman says. He notes that, in the group’s anti-Israel, pro-Palestine focus following the October 7 attacks, “there’s definitely an ideological thread in there. But the way it weaved through the different victims is something that maybe only the perpetrators of the attack fully understand.”
At times, Anonymous Sudan also hit Ukrainian targets, seemingly partnering with pro-Russian hacker groups like Killnet. That led some in the cybersecurity community to suspect that Anonymous Sudan was, in fact, a Russia-linked operation using its Sudanese identity as a front, given Russia’s history of using hacktivism as false flag. The charges against Ahmed and Alaa Omer suggest that the group was, instead, authentically Sudanese in origin. But aside from its name, the group doesn’t appear to have any clear ties to the original Anonymous hacker collective, which has been largely inactive for the last decade.
Aside from its targeting and politics, the group has distinguished itself through a relatively novel and effective technical approach, Akamai’s Seaman says: Its DDoS service was built by gaining access to hundreds or possibly even thousands of virtual private servers—often-powerful machines offered by cloud services companies—by renting them with fraudulent credentials. It then used those machines to launch so-called layer 7 attacks, overwhelming web servers with requests for websites, rather than the lower-level floods of raw internet data requests that DDoS hackers have tended to use in the past. Anonymous Sudan and the customers of its DDoS services would then target victims with vast numbers of those layer 7 requests in parallel, sometimes using techniques called “multiplexing” or “pipelining” to simultaneously create multiple bandwidth demands on servers until they dropped offline.
For at least nine months, the group’s technical power and brazen, unpredictable targeting made it a top concern for the anti-DDoS community, Seaman says—and for its many victims. “There was a lot of uncertainty about this group, what they were capable of, what their motivations were, why they targeted people,” says Seaman. “When Anonymous Sudan went away, there was a spike in curiosity and definitely a sigh of relief.”
“This was a massive amount of attacks,” Estrada said. “We are determined to hold cybercriminals accountable for the grave harm they cause.”
This is a developing story. Check back for updates.